Accessibility

Security bulletin

AIR update available to address security vulnerabilities

Release date: November 17, 2008

Vulnerability identifier: APSB08-23

CVE number: CVE-2008- 5108

Platform: All Platforms

Summary

A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability.

AIR 1.5, which integrates Flash Player technology, includes a Flash Player update to resolve the critical issues as outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5..

Affected software versions

Adobe AIR 1.1 and earlier.

Solution

Adobe recommends all users of Adobe AIR 1.1 and earlier versions upgrade to the newest version AIR 1.5 by downloading it from the AIR Download Center, or by using the auto-update mechanism within the product when prompted.

Severity rating

Due to the potential vulnerabilities to Flash Player as outlined in Security Bulletin APSB08-22, Adobe categorizes this as a critical update and recommends affected users upgrade to version 1.5.

Details

A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability. In addition, AIR 1.5 includes a Flash Player update to resolve the critical issues outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5. These issues are remotely exploitable.

Acknowledgments

Adobe would like to thank Chris Weber of Casaba Security for reporting the AIR JavaScript execution issue and for working with Adobe to help protect our customers' security.